Open source software security

First Looks at Google Chrome

30 November -0001

This week Google entered the web browser wars with a vengeance, releasing their own web browser, dubbed Chrome, as a free beta. Chrome sports some impressive features and is being released as entirely free, open source software. Of particular interest are the new security features that are built in to chrome. Two extremely interesting security features are the browser privacy mode and the tabs in Chrome.

Chrome's privacy mode is called 'incognito' and supposedly doesn't log anything to the computer during your session. This mode does in fact seem to keep your browsing history safe from storage on your hard disk. This doesn't prevent anyone from sniffing the session or monitoring your internet browsing, but it does keep you safe from a forensic examination of your hard drive turning up evidence of browsing history. This feature is sort of interesting but it doesn't protect you from a whole lot other than casual snooping.

Google Chrome in Incognito Mode

Chrome is also designed with a security model similar to Java. Each tab is run in its own segregated environment. Theoretically this prevents crashes or problems in one tab from affecting another tab. This also could prevent information from one tab from being exposed to another tab. This could prevent certain types of cross site scripting (XSS) or cross site request forgery (CSRF) attacks.

Although Chrome is officially still in beta it appears fairly solid. Two security problems have been reported as of this writing. The first is the notorious carpet bomb attack that has plagued many browsers. This attack involves downloading a file to a well known location, then executing the file from within the browser, but outside the context of the browser. This can lead to arbitrary execution of code with user privileges. Although some user intervention is involved in order to get the carpet bomb attack to work in Chrome, it is far from a trivial threat.

The second issue was reported on the security mailing list Full Disclosure by Rashi Narang. This problem reported is a bug that causes a crash due to a maliciously crafted link. Fortunately the bug only causes the tab that handles the URL to crash. Proof of concept was released at http://evilfingers.com/advisory/google_chrome_poc.php (careful with this link).

One major concern with the new Chrome browser has to do with the EULA (End User License Agreement). That agreement states that Services include "Google’s products, software, services and web sites" and then goes on to place some pretty severe language surrounding Services. One such statement seems to give Google the right to filter content presented through Chrome by stating "Google reserves the right (but shall have no obligation) to pre-screen, review, flag, filter, modify, refuse or remove any or all Content from any Service." Furthermore Google directly contravenes their own statements about the open source nature of Chrome in section 10.2 by stating that "You may not (and you may not permit anyone else to) copy, modify, create a derivative work of, reverse engineer, decompile or otherwise attempt to extract the source code of the Software or any part thereof, unless this is expressly permitted or required by law, or unless you have been specifically told that you may do so by Google, in writing." Authors may also wish to be wary of Google Chrome as section 11.1 states:

You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services.

Overall Chrome looks like a very interesting development in browser security. They've apparently beaten both Explorer and Mozilla/Firefox to market with several security features, especially with respect to privacy. Chrome also sports features like warning users of suspected phishing or malware download sites. Firefox already has this feature built in, but it seems to be becoming the norm for browsers. If, as they claim, Google's stated purpose was to propel browser development into the Web 2.0 arena they have certainly succeeded on many fronts.